RE: Packets from 255.255.255.255(80) (was: Packet from port 80 wi th spoofed microsoft.com ip)

From: Fitzgerald, John (John.Fitzgerald@petro-canada.com)
Date: Wed Feb 05 2003 - 01:51:14 PST

Next message: Fitzgerald, John: "RE: Packets from 255.255.255.255(80) (was: Packet from port 80 wi th spoofed microsoft.com ip)"

Previous message: H C: "Re: DoS Attacks, Detecting the Source, and Service Providers"
Next in thread: Fitzgerald, John: "RE: Packets from 255.255.255.255(80) (was: Packet from port 80 wi th spoofed microsoft.com ip)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Whoops - I was transposing my email threadz .... sorry about that

Hey but I wish we could give the ISPs an incentive to filter or at least
enforce strict source address validation at ingress to the Internet

Sorry again

John

-----Original Message-----
From: Valdis.Kletnieksat_private [mailto:Valdis.Kletnieksat_private]
Sent: 03 February 2003 19:05
To: Joel Tyson
Cc: Incidents Mailing List
Subject: Re: Packets from 255.255.255.255(80) (was: Packet from port 80
with spoofed microsoft.com ip) 


On Mon, 03 Feb 2003 10:40:02 EST, Joel Tyson <jtysonat_private>  said:

> The best way to handle these types of packets would be to route them to a
> null0 interface.  This way the packets will be dropped without icmp
response.
> Typically all ISP should have these ACL's configured on their border
routers;
> but they don't.  

There's not much financial incentive for many ISPs to filter - when you're
billing based on traffic volume, you don't really want all those probes to
go away.  So what if 20% of the traffic is probes?  That's 20% more income
for the provider, and many providers are in a financial crunch - that 20%
may be all that's keeping them afloat.  As long as they don't get burned by
an SQL worm that takes out their infrastructure too, why should the filter?

/Valdis (who is having a more-cynical-than-usual day)

            ***********************
This email communication is intended as a private communication for the sole use of the primary addressee and those individuals listed for copies in the original message. The information contained in this email is private and confidential and if you are not an intended recipient you are hereby notified that copying, forwarding or other dissemination or distribution of this communication by any means is prohibited.  If you are not specifically authorized to receive this email and if you believe that you received it in error please notify the original sender immediately.  We honour similar requests relating to the privacy of email communications.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Fitzgerald, John: "RE: Packets from 255.255.255.255(80) (was: Packet from port 80 wi th spoofed microsoft.com ip)"
Previous message: H C: "Re: DoS Attacks, Detecting the Source, and Service Providers"
Next in thread: Fitzgerald, John: "RE: Packets from 255.255.255.255(80) (was: Packet from port 80 wi th spoofed microsoft.com ip)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Feb 05 2003 - 12:52:15 PST